feat(timetable): six artist-domain controllers + RFC §6 routes

Six thin controllers under app/Http/Controllers/Api/V1/Artist/. Zero
business logic: every mutation routes through a service from
app/Services/Artist/. Authorization via Gate::authorize matching
PersonController convention (request authorize() returns true; gates
fire in the controller).

  ArtistController          — org-scoped CRUD + restore. Catches
                              DuplicateArtistException → 409 with
                              duplicate_artist_id so the dialog can
                              offer "use existing".
  GenreController           — org-scoped CRUD; catches GenreInUseException
                              → 409 with referencing_artists_count.
  ArtistEngagementController — event-scoped CRUD; catches
                              InvalidStatusTransitionException → 422
                              with a Dutch-readable message.
  StageController           — event-scoped CRUD + reorder + replaceDays;
                              catches StageDaysOrphanedPerformancesException
                              → 409 with the orphaned performance ids
                              and the removed event ids per RFC §10.5.
                              destroy returns the parked performance
                              count (cascade-park).
  PerformanceController     — event-scoped CRUD with index filters
                              `?day={subevent}` and `?stage_id=null`
                              (wachtrij). update is non-placement only.
  TimetableMoveController   — single __invoke for POST /timetable/move.
                              Catches VersionMismatchException → 409
                              with current_version + server_data per
                              RFC D14.

Routes wired into api/routes/api.php nested under the existing
organisations/{organisation}/events/{event} prefix group, matching
PersonController and ShiftController structure. The move endpoint
gets the new `idempotency.60s` middleware alias for R1. `stages/order`
and `stages/{stage}/days` registered before the apiResource so the
literal path wins over the wildcard.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/Artist/ArtistEngagementController.php

@@ -0,0 +1,117 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1\Artist;
+
+use App\Exceptions\Artist\InvalidStatusTransitionException;
+use App\Http\Controllers\Api\V1\Traits\VerifiesOrganisationEvent;
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Api\V1\Artist\CreateArtistEngagementRequest;
+use App\Http\Requests\Api\V1\Artist\UpdateArtistEngagementRequest;
+use App\Http\Resources\Api\V1\Artist\ArtistEngagementResource;
+use App\Models\Artist;
+use App\Models\ArtistEngagement;
+use App\Models\Event;
+use App\Models\Organisation;
+use App\Services\Artist\ArtistEngagementService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
+use Illuminate\Support\Facades\Gate;
+
+final class ArtistEngagementController extends Controller
+{
+    use VerifiesOrganisationEvent;
+
+    public function __construct(
+        private readonly ArtistEngagementService $service,
+    ) {}
+
+    public function index(Request $request, Organisation $organisation, Event $event): AnonymousResourceCollection
+    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
+        Gate::authorize('viewAny', [ArtistEngagement::class, $event]);
+
+        $query = ArtistEngagement::query()
+            ->where('event_id', $event->id)
+            ->with(['artist.defaultGenre', 'projectLeader']);
+
+        if ($request->filled('status')) {
+            $query->where('booking_status', $request->string('status'));
+        }
+        if ($request->filled('search')) {
+            $term = '%'.$request->string('search').'%';
+            $query->whereHas('artist', fn ($q) => $q->where('name', 'like', $term));
+        }
+
+        return ArtistEngagementResource::collection(
+            $query->orderBy('created_at', 'desc')->paginate(50),
+        );
+    }
+
+    public function show(Organisation $organisation, Event $event, ArtistEngagement $engagement): JsonResponse
+    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
+        Gate::authorize('view', [$engagement, $event]);
+
+        $engagement->loadMissing([
+            'artist.defaultGenre', 'artist.agentCompany', 'artist.contacts',
+            'projectLeader', 'performances.stage',
+        ]);
+
+        return $this->success(ArtistEngagementResource::make($engagement));
+    }
+
+    public function store(CreateArtistEngagementRequest $request, Organisation $organisation, Event $event): JsonResponse
+    {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
+        Gate::authorize('create', [ArtistEngagement::class, $event]);
+
+        $data = $request->validated();
+        $artist = Artist::query()->findOrFail($data['artist_id']);
+
+        try {
+            $engagement = $this->service->create($event, $artist, $data);
+        } catch (InvalidStatusTransitionException $e) {
+            return $this->error($e->getMessage(), 422);
+        }
+
+        return $this->created(
+            ArtistEngagementResource::make($engagement->load(['artist.defaultGenre', 'projectLeader'])),
+        );
+    }
+
+    public function update(
+        UpdateArtistEngagementRequest $request,
+        Organisation $organisation,
+        Event $event,
+        ArtistEngagement $engagement,
+    ): JsonResponse {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
+        Gate::authorize('update', [$engagement, $event]);
+
+        try {
+            $engagement = $this->service->update($engagement, $request->validated());
+        } catch (InvalidStatusTransitionException $e) {
+            return $this->error($e->getMessage(), 422);
+        }
+
+        return $this->success(
+            ArtistEngagementResource::make($engagement->load(['artist.defaultGenre', 'projectLeader'])),
+        );
+    }
+
+    public function destroy(
+        Organisation $organisation,
+        Event $event,
+        ArtistEngagement $engagement,
+    ): JsonResponse {
+        $this->verifyEventBelongsToOrganisation($organisation, $event);
+        Gate::authorize('delete', [$engagement, $event]);
+
+        $this->service->softDelete($engagement);
+
+        return response()->json(null, 204);
+    }
+}